Software Asset Management: Know What's Running on Your Systems

Here's a question that stumps most small business owners: do you know exactly what software is installed on every device in your business right now?

Most can give a rough answer. Microsoft 365, sure. Their accounting software, yes. But what about the browser extensions your receptionist installed? The free utility someone downloaded to open a PDF? The old trial version of design software sitting on the office laptop? The app a former employee installed and never mentioned?

This is the software visibility problem — and it's a genuine security risk. You can't patch software you don't know about. You can't remove software that's creating vulnerabilities if you don't know it's there. And you can't manage licences and compliance for software that's invisible to you.

Software Asset Management (SAM) is the practice of knowing what software you have, where it is, and whether it's up to date. It doesn't require specialist tools or an IT department. It requires discipline and a simple process.

Why Software Visibility Matters for Security

Every piece of software installed on a device is a potential attack surface. It may have vulnerabilities. It may connect to the internet in ways you don't realise. It may have weak default settings. And if it's not on your radar, it won't be on your patching schedule.

The ASD's Essential Eight framework includes application control as one of its eight priority mitigation strategies. The principle is simple: only allow authorised software to run on business devices. Everything else should be blocked. While full application whitelisting may be complex for small businesses, the underlying principle — knowing and controlling what software is on your systems — is practical at any scale.

The ACSC also highlights unpatched software as a top attack vector. A software inventory is a prerequisite for effective patching — you can't patch what you don't know about.

What Is Your Attack Surface?

Your attack surface is the total sum of entry points an attacker could use to access your systems. Every application, browser extension, plugin, and service installed on your devices adds to that surface. More software equals more potential vulnerabilities.

Common sources of unknown software in small businesses include:

• Staff installing personal apps on work devices — games, utilities, personal cloud storage
• Trial software that was never removed after evaluation
• Browser extensions added for convenience without considering security implications
• Legacy applications left running after a migration to a newer system
• Software installed by former employees that was never audited on their departure
• Vendor-installed tools left behind after a support visit

How to Build a Simple Software Inventory

You don't need specialist software management tools to get started. Here's a practical approach for a small business:

Step 1: List Your Devices

Start with a spreadsheet. List every device in your business: desktops, laptops, tablets, servers. Include the device name, the user it's assigned to, and the operating system it runs.

Step 2: Audit Installed Applications

On each Windows device, go to Settings > Apps > Installed Apps for a complete list of what's installed. On Mac, check the Applications folder and the list under System Information > Software. Record what you find.

Step 3: Check for Browser Extensions

Browser extensions are frequently overlooked and can be significant security risks. In Chrome, go to chrome://extensions. In Edge, go to edge://extensions. In Firefox, go to about:addons. Review what's installed and remove anything that isn't necessary or authorised.

Step 4: Flag Anything Unexpected or Unsupported

As you review the inventory, note any software that:

• You don't recognise or can't identify a business purpose for
• Hasn't been updated recently or is no longer supported by the vendor
• Is a personal app with no business use
• Has elevated permissions (admin rights) that aren't necessary

Step 5: Act on What You Find

• Remove software that has no business purpose
• Update software that is out of date
• Replace or isolate software that is no longer supported by the vendor
• Document authorised software so you have a baseline to compare against in future audits

Maintaining Your Inventory Over Time

A software audit done once is better than nothing — but it becomes outdated quickly. Establish a simple ongoing process:

• Quarterly review — spend 30 minutes reviewing each device's installed software list
• Offboarding check — when a staff member leaves, review their device before reassigning it
• New software policy — require staff to get approval before installing new software on business devices

If you're using Microsoft Intune, Jamf, or similar mobile device management tools, these can automate much of the inventory process and alert you to new software installations.

Tools That Can Help

For small businesses looking to automate software inventory, options include:

• Microsoft Intune — included in many Microsoft 365 Business plans, provides centralised device and software management
• Jamf Now — Apple-focused device management with software inventory for Mac and iOS
• Snipe-IT — free, open-source IT asset management tool
• Spiceworks Inventory — free tool for Windows environments with basic software auditing

Key Takeaways

• You can't secure software you don't know about — a software inventory is the foundation of effective patching and application control.
• Every installed application, browser extension, and plugin adds to your attack surface. Less is more.
• Building a basic software inventory for a small business takes a few hours and a simple spreadsheet.
• Remove unauthorised and unnecessary software, update what's out of date, and replace what's unsupported.
• Review your software inventory quarterly and establish a simple policy requiring approval for new software installations.
• Tools like Microsoft Intune and Jamf can automate inventory management as your business grows.

Ready to take a broader look at your cyber security posture? Get your free risk assessment at flagged.com.au — a quick, practical tool designed for Australian small businesses.